In-depth security news and investigation

Posts Tagged: Adobe Flash Player update

Adobe and Microsoft both issued updates today to fix critical security vulnerabilities in their software. Microsoft actually released an emergency update on Monday just hours ahead of today’s regularly scheduled “Patch Tuesday” (the 2nd Tuesday of each month) to fix a dangerous flaw present in most of Microsoft’s anti-malware technology that’s being called the worst Windows bug in recent memory. Separately, Adobe has a new version of its Flash Player software available that squashes at least seven nasty bugs.

Last week, Google security researchers Natalie Silvanovich and Tavis Ormandy reported to Microsoft a flaw in its Malware Protection Engine, a technology that exists in most of Redmond’s malware protection offerings — including Microsoft Forefront, Microsoft Security Essentials and Windows Defender.Rather than worry about their malicious software making it past Microsoft’s anti-malware technology, attackers could simply exploit this flaw to run their malware automatically once their suspicious file is scanned.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft warned. “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned.”

On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.

In addition to the anti-malware product update, Microsoft today released fixes for dangerous security flaws in a range of products, from Internet Explorer and Edge to Windows, Microsoft Office, .NET, and of course Adobe Flash Player. Continue reading →

Adobe and Microsoft on Tuesday each released security updates for software installed on hundreds of millions of devices. Adobe issued an update for Flash Player and for Acrobat/Reader. Microsoft released just four updates to plug some 15 security holes in Windows and related software.

Microsoft’s batch includes updates for Windows, Office and Microsoft Edge (Redmond’s replacement for Internet Explorer). Also interesting is that January 2017 is the last month Microsoft plans to publish individual bulletins for each patch. From now on, some of the data points currently in the individual updates will be lumped into a “Security Updates Guide” published with each Patch Tuesday.

This change mirrors a shift in the way Microsoft is deploying updates. Last year Microsoft stopped making individual security updates available for home users, giving those users instead a single monthly security rollup that includes all available security updates.

Windows users and anyone else with Flash installed will need to make sure that Adobe Flash Player is updated (or suitably bludgeoned, more on that in a bit). Adobe’s Flash update addresses 13 flaws in the widely-installed browser plugin. The patch brings Flash to v. 24.0.0.194 for Windows, Mac and Linux users alike. Continue reading →

Adobe and Microsoft on Tuesday each issued updates to fix multiple critical security vulnerabilities in their software. Adobe pushed a patch that addresses 29 security holes in its widely-used Flash Player browser plug-in. Microsoft released some 14 patch bundles to correct at least 50 flaws in Windows and associated software, including a zero-day bug in Internet Explorer.

Half of the updates Microsoft released Tuesday earned the company’s most dire “critical” rating, meaning they could be exploited by malware or miscreants to install malicious software with no help from the user, save for maybe just visiting a hacked or booby-trapped Web site. Security firms Qualys and Shavlik have more granular writeups on the Microsoft patches.

Adobe’s advisory for this Flash Update is here. It brings Flash to v. 23.0.0.162 for Windows and Mac users. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. Continue reading →

Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

The bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also issued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here.

As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly because its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest. Continue reading →

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat.

Three of the Microsoft patches earned the company’s most dire “critical” rating, meaning they fix flaws that can be exploited to break into vulnerable systems with little or no interaction on the part of the user. The critical patches plug at least 30 separate flaws. The majority of those are included in a cumulative update for Internet Explorer. Other critical fixes address problems with the Windows OS, .NET, Microsoft Office, and Silverlight, among other components.

According to security vendor Shavlik, the issues address in MS15-044 deserve special priority in patching, in part because it impacts so many different Microsoft programs but also because the vulnerabilities fixed in the patch can be exploited merely by viewing specially crafted content in a Web page or a document. More information on and links to today’s individual updates can be found here.

Adobe’s fix for Flash Player and AIR fix at least 18 security holes in the programs. Updates are available for Windows, OS X and Linux versions of the software. Mac and Windows users, the latest, patched version is v. 17.0.0.188. Continue reading →

If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader andFlash Player, including a bug in Flash that already is being exploited.

Four of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.

Another critical patch plugs two vulnerabilities in Microsoft Word and Office Web Apps (including Office for Mac 2011). There are actually three patches this month that address Microsoft Office vulnerabilities, including MS14-082 and MS-14-083, both of which are rated “important.” A full breakdown of these and other patches released by Microsoft today is here.

Adobe’s Flash Player update brings the player to v. 16.0.0.235 for Windows and Mac users, and fixes at least six critical bugs in the software. Adobe said an exploit for one of the flaws, CVE-2014-9163, already exists in the wild.

“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” the company said in its advisory. Continue reading →

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

Adobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424.

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Securesays it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one). Continue reading →

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

The vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. 14.0.0.125 on Windows and Mac systems, and v. 11.2.202.378 for Linux users. To see which version of Flash you have installed, check this link.

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

Three of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

In a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.

Five of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.

Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.

Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.

And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17 distinct vulnerabilities; unlike last week’s emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.